krb5/ldap troubles
Greg Hudson
ghudson at MIT.EDU
Thu Jun 13 12:04:42 EDT 2013
On 06/13/2013 09:28 AM, Berthold Cogel wrote:
> System: RHEL5
> Kerberos: 1.6.1-70.el5 (MIT/RHEL)
> LDAP: openldap-ltb-2.4.28-1.el5
Short answer: you need a newer version of krb5.
Long answer: there's a serious performance scaling issue in the LDAP
driver prior to version 1.9 when password policy objects are used, for
two reasons:
1. Whenever a policy is looked up, all principals are scanned to find
out how many principals refer to the policy. This is almost always
pointless work, since the "policy reference count" field is rarely used.
2. Whenever a principal is looked up, its corresponding policy object is
also looked up in order to set the password expiration time based on the
policy's max-life value. Although this is not completely pointless,
it's probably going overboard since our DB2 back end doesn't do it.
So not only does the policy lookup cost scale with the number of
principals, but so does the principal lookup cost.
We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade
to 1.9 or later, you should avoid the use of password policy objects.
More information about the Kerberos
mailing list